Javascript Weak Cipher Des Ecb
Description
Detects the use of insecure cryptographic ciphers in JavaScript code, specifically the DES algorithm in ECB mode. The use of DES-ECB is considered cryptographically weak and can lead to information disclosure since identical plaintext blocks are encrypted to identical ciphertext blocks.
Detection Strategy
• Identifies calls to cipher creation functions in JavaScript code
• Checks if the cipher algorithm specified is DES (Data Encryption Standard)
• Verifies if the cipher mode is ECB (Electronic Code Book)
• Reports a vulnerability when DES-ECB cipher creation is detected in the code
Vulnerable code example
const crypto = require('crypto');
// Vulnerable: Using DES-ECB which is cryptographically weak and unsafe
const cipher = crypto.createCipheriv('des-ecb',
Buffer.from('12345678', 'utf8'),
'');
const encrypted = cipher.update('secret data', 'utf8', 'hex') + ...✅ Secure code example
const crypto = require('crypto');
// Generate cryptographically strong random values
const salt = crypto.randomBytes(16);
const iv = crypto.randomBytes(12); // 12 bytes for GCM mode
// Derive secure key using scrypt KDF with salt
const key = crypto.scryptSync(process.env.ENCRYPTION_KEY, salt, 32); // 32 bytes for AES-256...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.